While working on TypeGPU project, I scanned the dependency manifest and found that it uses a vulnerable version of dompurify. The scan revealed a URI validation bypass issue where custom attribute predicates can skip protocol checks, potentially allowing unsafe values like javascript: to pass through sanitization and lead to DOM-based XSS.
CVE Report
CVE Link
While working on TypeGPU project, I scanned the dependency manifest and found that it uses a vulnerable version of
dompurify. The scan revealed a URI validation bypass issue where custom attribute predicates can skip protocol checks, potentially allowing unsafe values likejavascript:to pass through sanitization and lead to DOM-based XSS.CVE Report
CVE Link